Growing your business

We use cookies to give you the best possible online experience. If you continue, we'll assume you are happy for your web browser to receive all cookies from our website. See our cookie policy for more information on cookies and how to manage them.

GDPR update

Published: 20 Dec 2017

The EU's General Data Protection Regulation (GDPR) is designed to bring data protection legislation into line with new, previously unforeseen ways that data is now used. The current Data Protection Act 1998 will be replaced by the new legislation, which is due to come into effect in May 2018. GDPR will introduce tougher fines for non-compliance and breaches and gives consumers more control over what companies can do with their data.

At Aviva, we believe GDPR can be an opportunity to build customer trust through effective management of their personal data. Aviva believes that the new legislation is inherently aligned with treating customers fairly. The challenges and impact of GDPR are far-reaching. Aviva UK

Insurance is committed to working with its intermediaries, partners, suppliers and other parties it does business with to ensure that collectively we are prepared to meet the requirements of the GDPR ahead of May 2018.In everything, we do we will need to consider the privacy rights and interests of customers. We are trying to simplify where we can, and be transparent, rather than add complexity through the legislative changes. To this end, Aviva has created a GDPR delivery programme to assess and design changes to how we use customer data in line with GDPR requirements. The programme is subject to Aviva board-level oversight. Some of these changes will impact you and your customers.

We want to ensure that all the third parties we work with understand how Aviva is preparing for GDPR. The purpose of this document is to provide a high-level view of GDPR and the approach to compliance in Aviva, and an understanding of where to find out more information about GDPR from us.

As well as focussing on the above we are also implementing a consistent Data Protection framework across all our businesses globally.

What's Changing?

GDPR will apply to all organisations that process personal data about data subjects in the EU. This legislation is still relevant to UK businesses, even after the UK officially leaves the European Union. The changes under GDPR will apply to all personal data leaving the EU - for example, any data that is shipped to a partner offshore. The changes are designed to strengthen the rights of individuals regarding who holds their data and how it is used. For example, a customer could request that their personal data is erased, or 'forgotten'. For individuals, the changes mean enhanced protection. Essentially this is a much more thorough and rigorous programme of data protection for individuals than the current Data Protection Act affords. And for those organisations that fail to comply with GDPR, significant fines and penalties can be applied.

Impacts of GDPR

Our approach to GDPR is to focus on ensuring we are prepared to meet our obligations under the new regulations for handling personal data- For Aviva UK Insurance, this is a high number of data records across our customer base

Personal data refers to any and all information about an identified or identifiable living individual. So, not only does this include data such as name and address, but the GDPR also brings in to scope previously unconsidered data such as IP address.

GDPR has also identified 'Special Categories' of personal data which are also protected. This includes data such as the individual’s race or ethnic origin, political opinions, trade union membership, religion, health data and criminal records.

The enhanced rights our customers have over their data under GDPR, and our responsibility as both data processor and data controller, are critical factors shaping our programme.

Those organisations acting as both Data Processor as well as the Data Controller can be held liable for any breach of the GDPR legislation. Aviva is currently working on our contracts with all third parties we work with to identify how and where contracts need to be amended in response to the regulation. We will be contacting all relevant stakeholders in relation to this anytime between now and Q1 2018.

GDPR introduces greater accountability for businesses, and we must be able to demonstrate that we are meeting the requirements of the new legislation. Crucially, the GDPR legislation includes fines of up to 4% of group annual turnover and other regulatory action (including more extensive powers of Information Regulator who can impose limitations on processing personal data).

Over the next few months we will provide additional guidance on key issues such as data portability, data subject access requests (DSAR's) and guidelines for reporting a data incident.

Data Protection Principles

Article 5 of the GDPR re-quires that personal data shall be:

Lawful - Processed lawfully, fairly and in a transparent manner in relation to individuals

Legitimate - Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

Limited - Adequate, relevant and limited to what is necessary for relation to the purposes for which they are processed

Accurate - Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate is erased or rectified without delay

Stored - Stored in a form which permits identification of individuals for no longer than necessary

Secured - Ensure appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage

What rights do data subjects have when processing personal data?

GDPR increases the data protection rights of our customers. What does this mean for them?

Enhanced Access - customers have the right to request information about the data that we hold about them and what we do with it.

Rectification- individuals have the right to have personal data corrected if it is inaccurate and, considering the purposes of the processing, the right to have incomplete personal data completed.

Erasure - Individuals will have an enhanced right to request that we erase their personal data in certain circumstances.

Restrict processing - customers will also have the right to request that we restrict the processing of their personal data in certain circumstances

Data portability - Our customers have the right to receive personal information that they have provided to us in a structured, machine-readable form and to have us transmit the personal information to another organisation where technically feasible.

Object- right to object to us processing their personal information.

Automated decision-making, including profiling - customers have the right not to be subject to a decision based solely on automated processing which produces illegal or similarly significant effects.

Next Steps for you to consider

What can your organisation do to safeguard data subjects information?

Review your local processes and culture to ensure your organisation is ready and compliant for GDPR.

We will be contacting you if we believe that our commercial contract needs to be amended in order to comply with GDPR. Please keep an eye out for contact from Aviva.

We will also be changing our literature to reflect the changes in the legislation - please expect updates in the near future. Any further questions can be sent to AskGDPR@aviva.com

We are running a GDPR overview Webex on 24th January 2018. Please email AskGDPR@aviva.com to register your interest, or speak to your relationship manager if you would like to join.

We’ll be in touch with further updates in the New Year, so please keep an eye out for more updates coming soon.